Find it tool information
=======================
Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.)

Author: danakj
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/a5cc021b6ee19af6a931db1042ec2ab562506010
Time: Wed Oct 15 21:27:42 2014
The CL last changed line 154 of file rect.cc, which is stack frame 0.

Author: danakj@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/be3925eecc44210e61b47de19858d45c28b3e361
Time: Fri Mar 08 02:41:47 2013
The CL last changed line 326 of file damage_tracker.cc, which is stack frame 1.

Author: danakj@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/be3925eecc44210e61b47de19858d45c28b3e361
Time: Fri Mar 08 02:41:47 2013
The CL last changed line 202 of file damage_tracker.cc, which is stack frame 2.

Author: weiliangc
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/4012ef768e802a281461207edad2624524d462ae
Time: Mon Apr 11 22:04:06 2016
The CL last changed line 126 of file damage_tracker.cc, which is stack frame 3.

Author: danakj@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/c1bb5af2c3312280b17ac23a36dff4d366da3cea
Time: Wed Mar 13 19:06:27 2013
The CL last changed line 664 of file layer_tree_host_impl.cc, which is stack frame 4.

Author: jaydasika
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/e57ef9da5138f83571aa273a8ac7f8684f950fb4
Time: Wed Jun 22 14:32:55 2016
The CL last changed line 798 of file layer_tree_host_impl.cc, which is stack frame 5.

Author: simonhong@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/30d82149616dafe805d5fb22b1ddfcddfeee5a22
Time: Mon May 12 04:26:02 2014
The CL last changed line 1123 of file layer_tree_host_impl.cc, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Internals>Compositing
============================

From the above information the changes made to the file "rect.cc" of frame 0 is more related to this issue.

danakj@ could you please look into this issue if it is related to your change,else please help us in finding the appropriate owner for this issue.

Thanks,

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/42fd7d7967bef71ac8d1b252c988529cbe5d8fa3

commit 42fd7d7967bef71ac8d1b252c988529cbe5d8fa3
Author: dmazzoni <dmazzoni@chromium.org>
Date: Wed Oct 05 16:54:59 2016

Explicitly show and hide accessible rings rather than using offscreen coords.

BUG= 648214 

Review-Url: https://codereview.chromium.org/2388093004
Cr-Commit-Position: refs/heads/master@{#423191}

[modify] https://crrev.com/42fd7d7967bef71ac8d1b252c988529cbe5d8fa3/chrome/browser/chromeos/accessibility/accessibility_highlight_manager.cc
[modify] https://crrev.com/42fd7d7967bef71ac8d1b252c988529cbe5d8fa3/chrome/browser/chromeos/ui/accessibility_focus_ring_controller.cc
[modify] https://crrev.com/42fd7d7967bef71ac8d1b252c988529cbe5d8fa3/chrome/browser/chromeos/ui/accessibility_focus_ring_controller.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8c14bf7d37bec879a5caa162f2c72a303da1a6e0

commit 8c14bf7d37bec879a5caa162f2c72a303da1a6e0
Author: enne <enne@chromium.org>
Date: Wed Oct 05 19:10:31 2016

Fix overflow/underflow in ui/gfx once and for all

ui/gfx/geometry currently has a number of spots where adding or
subtracting two integers can cause overflow or underflow.  Fix this so
that Point/Vector2d/Size/Rect all correctly clamp integer arithmetic to
not fall into undefined overflow or underflow.

The behavior is now that any operation that would have overflowed or
underflowed is now clamped to the max or min integer.  Additionally, for
rects, if their size is large enough to overflow right/bottom, this will
also be clamped.

gfx::Insets is left unchanged as it is only used by ui/views and so is
much more likely to be under user control and not overflow.

This patch also fixes an overflow error in the unit test that happened
in Rect::Inset.

BUG= 648214 

Review-Url: https://codereview.chromium.org/2354783004
Cr-Commit-Position: refs/heads/master@{#423243}

[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/mojo/geometry.typemap
[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/point.h
[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/point_unittest.cc
[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/rect.cc
[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/rect.h
[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/rect_unittest.cc
[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/safe_integer_conversions.h
[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/safe_integer_conversions_unittest.cc
[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/size.cc
[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/size_unittest.cc
[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/vector2d.cc
[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/vector2d_unittest.cc

ClusterFuzz has detected this issue as fixed in range 422899:423265.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6077976385159168

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  gfx::Rect::Union
  cc::DamageTracker::ExtendDamageForLayer
  cc::DamageTracker::TrackDamageFromActiveLayers
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=422899:423265

Minimized Testcase (0.18 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94kWOq2Hrvk84QjjnBrtrkvKcopoD_StV6bVzXBGl1nlzlyCGz1JIP8jnUGGg-xVkL7ch8KgIjYuEdoDkCZU4MH89k3pACVhIL96gHycxf8Fq2c_HCiaAR13CmJAGZuWR7QKb6rysAlYXKwcvNeNq1ye4vRMg?testcase_id=6077976385159168
<style>#camera {
    -webkit-perspective: 800px
    }
#container:not([class*=""]) {
    transform: translatez(800px)
</style>
  <div id=camera>
    <div id=container>vd b# !x[1 	B]gkJ	(


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/42fd7d7967bef71ac8d1b252c988529cbe5d8fa3

commit 42fd7d7967bef71ac8d1b252c988529cbe5d8fa3
Author: dmazzoni <dmazzoni@chromium.org>
Date: Wed Oct 05 16:54:59 2016

Explicitly show and hide accessible rings rather than using offscreen coords.

BUG= 648214 

Review-Url: https://codereview.chromium.org/2388093004
Cr-Commit-Position: refs/heads/master@{#423191}

[modify] https://crrev.com/42fd7d7967bef71ac8d1b252c988529cbe5d8fa3/chrome/browser/chromeos/accessibility/accessibility_highlight_manager.cc
[modify] https://crrev.com/42fd7d7967bef71ac8d1b252c988529cbe5d8fa3/chrome/browser/chromeos/ui/accessibility_focus_ring_controller.cc
[modify] https://crrev.com/42fd7d7967bef71ac8d1b252c988529cbe5d8fa3/chrome/browser/chromeos/ui/accessibility_focus_ring_controller.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8c14bf7d37bec879a5caa162f2c72a303da1a6e0

commit 8c14bf7d37bec879a5caa162f2c72a303da1a6e0
Author: enne <enne@chromium.org>
Date: Wed Oct 05 19:10:31 2016

Fix overflow/underflow in ui/gfx once and for all

ui/gfx/geometry currently has a number of spots where adding or
subtracting two integers can cause overflow or underflow.  Fix this so
that Point/Vector2d/Size/Rect all correctly clamp integer arithmetic to
not fall into undefined overflow or underflow.

The behavior is now that any operation that would have overflowed or
underflowed is now clamped to the max or min integer.  Additionally, for
rects, if their size is large enough to overflow right/bottom, this will
also be clamped.

gfx::Insets is left unchanged as it is only used by ui/views and so is
much more likely to be under user control and not overflow.

This patch also fixes an overflow error in the unit test that happened
in Rect::Inset.

BUG= 648214 

Review-Url: https://codereview.chromium.org/2354783004
Cr-Commit-Position: refs/heads/master@{#423243}

[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/mojo/geometry.typemap
[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/point.h
[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/point_unittest.cc
[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/rect.cc
[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/rect.h
[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/rect_unittest.cc
[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/safe_integer_conversions.h
[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/safe_integer_conversions_unittest.cc
[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/size.cc
[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/size_unittest.cc
[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/vector2d.cc
[modify] https://crrev.com/8c14bf7d37bec879a5caa162f2c72a303da1a6e0/ui/gfx/geometry/vector2d_unittest.cc

[Automated comment] removing mislabelled merge-merged-2840

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot